Practical recommendations on software licensing
Note: CNews first published this article of mine as a part of a more extensive article called "Microsoft: how to get rid of software chaos" around August 2007. I'm publishing it entirely, with all their edits, including their version of the article's title. I would have rewritten much of it already, but history is history. It is also a rough translation from Russian, so some things had to be interpreted.
How to get rid of illegal software – this topic has recently begun to occupy the minds of many IT directors. The main driving factor is strengthening government control in the legal sphere. There have been several high-profile criminal prosecution cases. There have been recent changes in the legislation regarding Intellectual Property rights. In courts, IT directors and system administrators have become the primary targets for prosecution. On the other hand, the benefits of transitioning to legal software are apparent: availability of technical support, timely security updates etc.
A pleasant trend for most CIOs is the increased attention of non-technical managers to the reliability of IT infrastructure and the management of risks associated with the use of IT. CFOs go further – they now require more transparent IT budgets and more clear ROI and would welcome managing software as assets.
And so, CIOs have come to a situation where they need to "legalise" software use.
Approaches to software "legalisation."
There are two approaches. One is a point-in-time elimination of illegally used software followed by deploying only necessary, licensed copies. This option is known by the name "legalisation".
The second long-term approach is to adopt a day-to-day management system: a set of policies, processes and procedures strategically aimed at effective software asset management. The goal is to continuously maintain the efficiency of the use of software and its relevance to the business processes in the organisation.
With the lack of qualified in-house resources, you may outsource this to subject-matter experts from consulting companies.
Implementation of Licence Management, or more correctly, Software Asset Management, would typically go through the same core stages, but the efforts and the costs may vary.
The core stages of SAM implementation
An initial introductory phase precedes the work. It is necessary to get a general idea about the organisation, its IT infrastructure, and the software used to make an initial assessment of the scope and budget of work.
There are also some questions worth getting answers to before the work begins. Who and how manages all software purchases? Who is responsible for end-user support? Who is responsible for license compliance? How are IT assets managed? Is there a contract and proof-of-licence management system?
Among the technical issues, concentrate on those affecting the cost of SAM implementation the most. How many computers does the organisation have? How many departments there are: branches, warehouses etc. How are they connected? How many mobile devices are used, and are they managed? How difficult is it to get access to them?
Then you can proceed with the initial audit. The first step is determining what software is installed and how much is in actual use. Getting accurate figures down to a single instance is essential, as even one unlicensed use of the software is a compliance issue.
You may consider using automated tools to inventory and monitor software usage at this stage. If the purpose of your work is a one-off "legalisation", you can achieve your goals with one of a few "lightweight" tools. Such software tools, as a rule, are low-cost – from 200 roubles per computer, and even free sometimes. They don't require a steep learning curve. They usually have relatively low system requirements. Often, all you need is a workstation. A good example would be Microsoft Software Inventory Analyzer, which is free.
However, "lightweight" tools also have their drawbacks. The lower the price, the less data is collected, and the lower the recognition capabilities. Tools cannot inventory some software titles by scanning only the registry without checking the contents of hard disks. And some may have additional licensing terms that you cannot easily verify with "lightweight" tools.
Professional software asset management tools
If an organisation faces the task of solving strategic software asset management issues, it is worth considering a professional asset management tool. Among such tools are, for example, Microsoft System Management Server (SMS) and Avocent LanDesk.
The benefits of such tools include day-to-day management of software as assets, having information on their use in almost real-time, approaching changes proactively, and distributing and re-harvesting software in a centralised manner.
When estimating the costs, it is necessary to consider the cost of the licence for the tool itself and the costs of its installation and implementation. And, of course, don't forget the costs of the initial inventory data gathering.
The result of this stage shall be a detailed report on installed and used software.
Proof of licence
The next step is to collect proof of existing licences so you can compare them to the software inventory results to establish the organisation's compliance position.
Here, one should remember that licences may be on paper and in electronic form. Pay special attention to the "free" software's terms and conditions. For example, you may only deploy the free version of AVG antivirus on personal computers. Although you may install the free version of Google Earth on any computer, it is only for personal use.
Licences may be accompanied by other documents, such as stickers for the computer case (usually, OEM versions of products) and certificates of authenticity (COA). In addition, each licence must be accompanied by "proof of purchase" – supplier contracts, order forms, and invoices.
Physical and sometimes electronic master copies must be accounted for and audited, regardless of the licence type. A licence may also require other accompanying assets, such as packaging and operating manuals.
Understanding that a licence is a legally complex document with a load of technical details is essential. Legal professionals cannot always understand and see all the convoluted technical aspects and usage conditions. Licence analysis work requires the involvement of a subject-matter expert.
Costs at this stage depend on the number of software titles and how well the licences and collateral assets have been stored, accounted for, and organised.
If the purpose is a one-off "legalisation", the work is almost completed. However, evaluating the audit results and procuring the required licences is still necessary. Sub-optimal licensing may and shall be identified, including, oddly enough, excessive, unnecessary licensing. The one-off "legalisation" work ends when all the software in use fully complies with the existing licenses' terms and conditions.
Does it make sense to implement licence management after "legalisation"? The choice is between recurring "hole patching", i.e. somewhat regular realignment of licences with used software, and day-to-day proactive control of software assets and associated risks.
If an organisation decides to take the strategic approach, the ISO/IEC 19770-1:2006 standard called "Information technology – Software asset management - Part 1: Processes" can be a solid foundation for implementing necessary policies and processes and procedures.
The advantage of implementing SAM for financial management is in optimising and managing software procurement costs – both through discounts on well-planned volume purchases and by reducing total procured volume through optimisation of assets and licence re-harvesting. Another benefit is the lower cost of negotiating with suppliers through the availability of complete information about the organisation's assets, internal standards and requirements. Optimisation of collateral IT costs is also worth mentioning. Successful implementation of licence management processes, for example, drives the reduction of technical support costs.
Using ISO/IEC 19770 as a foundation and guidance, an organisation can develop its own rules, policies, processes and procedures governing such aspects as:
incident management processes,
license reuse and decommissioning.
The standard establishes over 20 groups of policies, processes and procedures aimed at professional, efficient software and collateral asset management.
You cannot do a transition to full compliance momentarily. Full implementation can affect many organisational processes, so a sound action plan is needed. There is no one-size-fits-all implementation plan.
What is implemented
Software Asset Management tools are needed to measure installed copies of software and their usage regularly.
In addition, consider implementing databases storing all kinds of licence collateral: basic (underlying) licences, effective full licences, contracts, licence agreements, electronically signed documents, keys – all electronic documentation supporting your software assets.
To be ISO-compliant and efficient, It is also mandatory to implement journaling and protocoling everything. There are, at a minimum, requirements to record all activities and outcomes related to procurement and relationship management, change, incident and problem management, deployment management, and release and development management.
Approved procedures must have executive sign-off per accepted practices in the organisation. There shall also be necessary changes to agreements with contractors and customers and employment contracts.
In six months to a year, consider a SAM programme review. If you aim to become ISO 19770-compliant, such regular reviews are compulsory. And they are recommended to be performed by a third party.